I’m writing a DNS client, where records are queried and shown to the user, and I’m adding support for the SSHFP record type, which stores SSH fingerprints. Records of this type have three fields:
- The public key algorithm number (where 1 is RSA, 2 is DSS, 3 is ECDSA, among others)
- The hashing algorithm number (where 1 is SHA1, 2 is SHA-256)
- The fingerprint itself
After parsing the first two numbers from the packet, I was ready to write code to display “DSS” or “SHA1” for the algorithm fields, instead of just displaying “2” and “1”. However, in §3.2 of RFC 4255, which specifies the record type, this is explicitly forbidden (bolded for emphasis):
The RDATA of the presentation format of the SSHFP resource record
consists of two numbers (algorithm and fingerprint type) followed by
the fingerprint itself, presented in hex, e.g.:
host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
The use of mnemonics instead of numbers is not allowed.
Why is this the case? Surely anyone who reads these numbers will go and look them up anyway, and as this is a presentation format rather than a data format, the underlying data will be the same no matter how it’s shown to a user.